glibc/stdio-common/bug23-2.c
Jeff Law a5357b7ce2 CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
2014-12-15 10:09:33 +01:00

71 lines
1.5 KiB
C

#include <stdio.h>
#include <string.h>
#include <stdlib.h>
static const char expected[] = "\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55\
\n\
a\n\
abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n";
static int
do_test (void)
{
char *buf = malloc (strlen (expected) + 1);
snprintf (buf, strlen (expected) + 1,
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d"
"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n",
"a", "b", "c", "d", 5);
return strcmp (buf, expected) != 0;
}
#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c"